There are four primary attributes to a notification: category, sub-category, source and severity. These attributes make up the facet search elements by default:
All notifications have other base attributes of time, message and contact. The time appears to the left of the icon along with the category. Next appear the sub category and message. At the bottom of the notification is whether contact was made. By default this type of contact is email. A checkbox will appear if this notification caused an email to be sent.
At the bottom of the base format, to the left of the notification type, there is a code (<>, or </>) marker. You will see these throughout the interface.
Clicking on a code icon will display the JSON document that produces the interface output. This is extremely useful in understanding what is recorded, what can be searched and how to search for information.
There are common notification Categories:
- High Confidence Alerts
- Network Behavior
- User Account Management
- Filter Management
- Sustained Limit
Understanding the types of notifications, why they appear and what they mean will enhance your use of Fluency.
Alerts that require action when they appear are high notification alerts. Processing nodes can place notifications into this alert category.
User activity lists the user login data. This information is also in the admin->audit page. Login data includes the source network address and country. In the “Base Notification Format” section there is an image of a login record being expanded.
Cloud notifications are actions taken by the autonomous actions of the cloud management system to maintain Fluency. Common cloud actions are database management and sensor updates, such as rule files.
Network Behavior are notifications from primarily the RiskScore processes.
The RiskScore Record button will navigate to the
overview->riskscore page. The code button produces a full JSON record of the alert, but the RiskScore page is easier to use to review the data.
If you plan to return to this page, and want to keep your place use the **"Pin This Page"** switch on the top right of the page. This will keep this page static and open up new pages when interaction would have navigated you away from this page.
Status notifications are alerts that are sent from the system to Fluency support in order to address the health and operations of the system. In the above example, the number of incoming alerts was higher than the capacity of the system for just a moment. The system updated the alert to then notify administration that the queue was still high, but acceptable.
These notifications help Fluency administration to ensure that there are proper resources of the system to maintain high-availability.
These alerts are related to Active Directory alerts that support PCI DSS requirements, but are useful for security operations as a whole. User Account Management alerts address when a user’s access control to the network has changed. This includes lockouts, role changes and new access.
The cloud management system reviews the filters to determine if they are old and no longer triggering. The system removes old alert filters to prevent the high false positives that occur with them. If an attribute needs a permanent filter, a signature may be more appropriate.
The Fluency system has a powerful tool called event watch, which maintains real-time analysis for a watched attribute. This allows the system to alarm when statistical thresholds are met. It is possible that there are too many buckets (things to watch) and the system will inform of this limit being reached. This is rare, and administration can adjust the system capacity to address it.